Satisfying state, industry, and international compliance obligations can be a daunting task for organizations of all sizes. Between the complexities of individual controls and the cost of ensuring all relevant requirements are being met, the stress can be overwhelming—especially if you need to move quickly to avoid fines and other penalties.
Whether you’ve fallen out of compliance, made changes to your systems, or you’re just trying to anticipate upcoming regulations, TokenEx understands the concerns that come with compliance, and we can move as quickly as you can to address them. Trust us to guide you on this journey so you can focus on the day-to-day operations that contribute to revenue generation, competitive differentiation, and other business imperatives.
Payment card brands ultimately determine penalties for noncompliance, but there’s no baseline or requirements for specific violations. This means fines can vary widely—between thousands and hundreds of thousands of dollars on a monthly basis until the issues are resolved. Additionally, banks can enact higher transaction fees for noncompliant entities or exclude them from using their services.
Data Discovery & Mapping
If you discover your organization isn’t complying with the PCI DSS, the first thing you’ll want to do is to determine where cardholder data exists within your environment. This can be accomplished by performing an internal mapping exercise or by procuring the services of a third-party data discovery platform to define your organization’s PCI scope. Once you’ve established the amount of PCI in your possession and the extent to which it’s present throughout your internal systems, you can move forward with deciding how best to remove, segment, or secure it.
Choose a Compliance Strategy
When it comes to addressing compliance initiatives, organizations with fewer available internal resources might want to consider working with third-party services or an external compliance expert. Examples of PCI compliant service providers potentially include ecommerce platforms, data protection providers, processors, vaulting services, and more. In some instances, a combination of internal and external parties could be the preferred method for pursuing compliance.
Compliance is not a set of requirements that simply can be met once and forgotten. It’s an ongoing process that must be assessed at least annually to ensure all the necessary controls are being satisfied, and it should be revisited any time a change to your network occurs.
Often the initial method for reducing scope is to segment your network. This is the process of separating your computing assets, either logically or physically, so cardholder data interacts with as few of your network-attached resources as possible. Once segmentation is complete, you should store cardholder data outside of your other business applications and systems, minimizing the scope of your environment.
Evaluating Technology & Providers
Once you’ve settled on a strategy for compliance, you’ll need to determine which compliance technology is appropriate for your organizational needs and then find the best way to implement it. Two popular security technologies for PCI compliance are encryption and tokenization. These technologies share the same goal—obfuscating sensitive cardholder data to make it more difficult for cybercriminals to expose—but they can vary in terms of techniques, effectiveness, and deployments. They can also be used in combination with each other.
Encryption uses algorithms and keys to encrypt and decrypt information. Although it can secure sensitive data, it cannot reduce scope unless the keys are managed by a secure third party. This is due to the fact that a breach could potentially expose the keys if they are stored within your environment. However, point-to-point encryption can reduce scope by securing payment data as it is entered via card swipes or a PIN pad device, which typically occurs in point-of-sale systems and call centers.
Tokenization is the process of converting sensitive data into nonsensitive, mathematically unrelated data called tokens. Once data is tokenized, it is no longer considered cardholder data, allowing it to traverse your environment without bringing any of the elements that store, process, or transmit the token into scope. When tokenization occurs outside of your environment, cardholder data in its original, sensitive form is never introduced, which virtually removes your network from scope and greatly increases the likelihood that you’ll be able to maintain compliance between annual assessments.
Tokenization and encryption services are commonly offered by third-party payment processors and acquiring banks. Although using a processor’s additional security services might seem convenient, it can often be expensive and difficult to implement due to restrictive data-retention policies and limited deployment options.
Additionally, payment processors often will only protect payment data and any other information sent directly to that specific processor. So if a company uses more than one processor or data type, it will need to manage multiple token sets. This setup can be further complicated if an organization wishes to switch processors, which typically requires the merchant to pay a fee in order to retrieve its original data.
Yet another option for data protection is an on-premises solution. This occurs within an organization’s network and typically involves purchasing both software and hardware. It also requires organizations to keep sensitive data in their environments and shoulder the associated risk, unnecessarily increasing PCI scope and the potential impact of a data breach. Although this model is typically more expensive and labor-intensive than other options, it does offer direct control over implementation and data management.
Cloud security outsources the management and protection of sensitive data to a PCI-compliant third party. As a result, organizations can maximize their scope reduction by tokenizing CHD before it enters their environment. Although this won’t completely eliminate PCI scope, it can reduce it more than segmentation alone. It also improves security by making data inaccessible to thieves and hackers in the event of a breach. Thus, cloud tokenization is the ideal solution for reducing scope, protecting data, and simplifying compliance.
Even if your data is protected or stored securely outside of your environment, you still need to comply with additional controls for testing, physical safeguards, vulnerability and risk management, internal security policies, and procedural documentation. These controls are covered by requirements 2, 8, 9, and 12, and they cannot be outsourced to a provider or other third party. Your organization is responsible for maintaining these areas to ensure you’re operating a sustainable and resilient security program. Recommendations for positioning your organization to more easily comply with these obligations include:
Finding common controls shared by relevant requirements and regulations and then using those controls to inform the security framework of your network. This will streamline the compliance process for multiple regulatory obligations and equip your network with widely recognized best practices.
Working with developers, third-party providers, and other experts who can offer supplemental knowledge to help manage and improve your security practices.
Building on the ideas of data minimization and scope reduction by trying to reduce the potential for human error as much as possible via implementing automation and avoiding manual processes.
Understanding how your internal systems interact and affect one another so that you can anticipate how potential changes might alter your environment and its compliance standing.
We hope this information is helpful in preparing your organization for PCI compliance and better positioning it for future audits. Our Cloud Security Platform was specifically designed by two former Qualified Security Assessors to help reduce the cost and complexity of PCI compliance, so we would be happy to discuss the value of our solution and to answer any compliance-related questions you might have.